The festive season makes everyone a prime target for scams. Shoppers fall into the trap of fake products, and business owners facing the year-end rush inadvertently become prey. In fact, Microsoft’s latest security insights, Cyber Signals and Digital Defence Report 2025, reveal a surge in sophisticated scams targeting individuals and businesses during this period.
There are a few ways that SMEs can remain vigilant. Kerissa Varma, Microsoft Chief Security Advisor Africa, has a few tips.
Emerging Holiday Threats
According to Varma, attackers are increasingly turning to techniques that exploit trusted systems and familiar behaviours. “These methods are not abstract risks, but concrete tactics that are already being deployed to compromise accounts and data,” she shares.
Device Code Phishing
Scammers may send messages asking individuals to enter a code on a website to “verify their identity” or “confirm a purchase.” Entering these codes can give attackers access to the victim’s accounts without needing a password. Always be suspicious of unexpected requests, especially during online shopping.
Fake CAPTCHA Attacks
A CAPTCHA is a Completely Automated Public Turing test that is used to distinguish between bots and humans, and falls into the category of security measures known as challenge-response authentication. There is an increasing rise in attacks whereby individuals may receive e-mails with links to flight deals or holiday offers, only to land on a site with a CAPTCHA and instructions to copy and paste a command into their computer. “This is a ploy to trick victims into running malicious software,” she warns. “The rule of thumb is to never copy commands from unknown sources.”
Tech Support Scams
Attackers impersonate IT support, urging individuals to grant remote access to “fix” non-existent problems. Unfortunately, no account is safe: Whether it is your Microsoft or bank account, attackers try their luck with everyone. But Varma reminds SMEs that no one will ever contact you unexpectedly by phone or text – there will be other methods of reaching out to you with account issues.
AI-enhanced Phishing
Society has yet to gain a full understanding of the true power of AI. “Our 2025 Microsoft Digital Defence Report highlights that AI-enabled phishing e-mails are 4 and a half times more likely to be clicked on than traditional ones because they appear credible,” Varma highlights. “These e-mails are now perfectly written and highly personalised, often leveraging information from social media or previous data breaches. They may seem to originate from trusted sources such as retailers, delivery services, or even colleagues, making detection increasingly difficult.” To mitigate risk, Varma suggest to always verifying sender addresses and avoiding clicking on suspicious links. “If an e-mail creates urgency around financial transactions or credentials, pause and confirm its legitimacy through an alternative channel.”
Fake Shipping Notifications
Scammers are playing a game of chance – and the odds are in their favour. Changes are that at any given moment, there are multiple people who are expecting a package. “Scammers exploit this by sending fake delivery updates, often requesting payment or personal details.” These updates may include a link that you are prompted to click on, whereby data or money is stolen. “Legitimate carriers rarely ask for sensitive information via email or text. Always check tracking numbers directly on the carrier’s official website.”
Your Holiday Security Checklist
Varma has a checklist that SMEs can use to ensure they stay safe during the festive season.
- Update devices: Install pending software updates before travelling or logging off for the holidays.
- Enable AI-powered security features: Turn on AI-powered security features and keep software and devices updated so you benefit from the latest AI-driven protections.
- Enable Multi-Factor Authentication (MFA): On all accounts, it’s one of the simplest and most effective defences against unauthorised access.
- Shop smart: Always shop on secure websites, verify URLs, and use trusted payment methods. Avoid deals that seem too good to be true.
- Protect work credentials: Never use work credentials for personal accounts or store them in personal password managers.
Keep the Holidays Joyful, Not Stressful
Everyone plays a critical role in strengthening South Africa’s digital ecosystem,” she says. “While AI makes phishing e-mails more convincing, the most effective defence remains simple: verify before clicking, enable multi-factor authentication, and stay alert. Awareness beats AI-powered scams.
“The holidays should be enjoyable, not stressful. By staying vigilant, verifying unexpected communications, and reporting anything suspicious, you help protect yourself and your organisation. Remember, the real cost of ‘just one click’ can be severe – compromised credentials, exposure of sensitive data, and even unauthorised access to customer information or intellectual property. False alarms have no negative consequences, but missing a real threat can be costly.
“Security is a shared responsibility. Simple steps, combined with the advanced protections built into modern technology, can help keep your accounts, devices, and data safe,” Varma emphasises. “By staying informed and proactive, we can ensure the only surprises this season are the good ones.”
If you want to know more about cybersecurity, download our e-book or watch our webinar.
